Real-time feature level software security

ABSTRACT

Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.

TECHNICAL FIELD

This application is a continuation-in-part of U.S. patent application Ser. No. 16/384,261, filed Apr. 15, 2019, which is a continuation of U.S. patent application Ser. No. 15/142,274, filed Apr. 29, 2016, each of which are incorporated by reference herein in their entirety.

TECHNICAL FIELD

The present subject matter relates to the field of application security, and more specifically, but without limitation to, providing feature level security for applications in real-time.

BACKGROUND

Data breaches caused by external threats and internal security holes are becoming more commonplace. Existing security frameworks and standards may mitigate the risks of a data breach. However, the current techniques used to implement the existing security frameworks and standards may involve extensive modification of existing application code by an experienced application developer. As a result, there may be a delay between identification of a security risk and remediation.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, which are not necessarily drawn to scale, like numerals may describe similar components in different views. Like numerals having different letter suffixes may represent different instances of similar components. The drawings illustrate generally, by way of example, but not by way of limitation, various embodiments discussed in the present document.

FIG. 1 illustrates a block diagram of an example of a system for real-time feature level software security, according to various embodiments.

FIG. 2 illustrates a block diagram of an example of a system for real-time feature level software security, according to various embodiments.

FIGS. 3A & 3B illustrate an example of a graphical user interface for use in implementing real-time feature level software security, according to various embodiments.

FIG. 4 illustrates a flow diagram of an example of a method for real-time feature level software security, according to various embodiments.

FIG. 5 illustrates a block diagram of an example of a data center for balancing security requests, in accordance with some embodiments.

FIG. 6 illustrates a block diagram of an example of a security request distribution and balancing system, in accordance with some embodiments.

FIG. 7 illustrates flow diagram of an example of a method for real-time feature level software security balancing, according to various embodiments.

FIG. 8 is a block diagram illustrating an example of a machine upon which one or more embodiments may be implemented.

DETAILED DESCRIPTION

Computer systems are threatened by external threats (e.g., hackers, etc.) and internal threats (e.g., security holes, disgruntled employees, etc.). Holes in application security may be exploited by an attacker to obtain confidential data that may be used for nefarious purposes (e.g., identity theft, credit card fraud, etc.). Existing security frameworks and standards may be employed to mitigate threats to computer systems. However, the existing techniques may involve a high level of subject matter expertise and extensive modification of existing code which may result in inconsistent and ineffective threat mitigation.

Systems and techniques for real-time feature level software security are disclosed herein that may reduce the complexity of threat mitigation by providing an end-to-end (e.g., application development, security management, client, server, etc.) application security framework. The presented techniques may provide a variety of benefits over traditional techniques including, but not limited to, reducing modification of existing code, providing consistent and secure authorization across multiple computer operating systems (e.g., Windows®, Linux, Unix, etc.), support for a variety of programming languages, command-line utilities (e.g., for securing automation, databases, support scripts, etc.), integration with existing and future enterprise systems (e.g., directory services, security systems, etc.), real-time permissions control, real-time threat detection and avoidance, and leveraging standards-based extensibility technology (e.g., APIs, etc.).

The present subject matter may be implemented using a variety of software development environments and/or technologies such as, for example, Java®, Python®, C, C++, Ruby, JavaScript®, C#, PHP, etc. In some examples, the present subject matter may provide command line utilities for securing application functions initiated at a command line such as, for example, automation, databases, scripts, etc. The present subject matter may be capable of integration with a number of current and future enterprise computing ecosystem components such as, for example, directory services, unified security management, user-based security management, identity access management, access control, etc. The present subject matter may allow real-time permissions changes by a compliance department employee without altering application code. The present subject matter may provide the ability to automatically perform real-time threat detection and avoidance. The present subject matter may leverage standard application program interfaces (APIs) and technologies for extensibility and compatibility. Other benefits may be realized by a person of ordinary skill in the art.

The term “feature” is used throughout this disclosure and as used herein may refer to a block of application code that may allow the application to perform a set of routines (e.g., initiating computer hardware, performing calculations, performing data manipulations, encrypting/decrypting data, etc.). It may also be understood that applications may contain a number of features that, when combined, comprise the functionality of the application.

FIG. 1 illustrates a block diagram of an example of a system 100 for real-time feature level software security, according to an embodiment. The system 100 may include a client computer 105 (e.g., personal computer, portable device, smartphone, tablet, etc.). The client computer 105 may be running an application 110 (e.g., executing locally, executing on a remote computer on a network, etc.). The client computer 105 may be communicatively coupled (e.g., over a network, etc.) to a security configuration service 125 and an authorization service 130. The application 110 may include one or more features 115 and each feature 115 may include security configuration code 120.

The security configuration service 125 and the authorization service 130 may comprise one or more processors (e.g., hardware processor 802 described in FIG. 8, etc.) that execute software instructions, such as those used to define a software or computer program, stored in a computer-readable storage medium such as a memory device (e.g., a main memory 804 and a static memory 806 as described in FIG. 8, a Flash memory, random access memory (RAM), or any other type of volatile or non-volatile memory that stores instructions), or a storage device (e.g., a disk drive, or an optical drive). Alternatively, the security configuration service 125 and the authorization service 130 may comprise dedicated hardware, such as one or more integrated circuits, one or more Application Specific Integrated Circuits (ASICs), one or more Application Specific Special Processors (ASSPs), one or more Field Programmable Gate Arrays (FPGAs), or any combination of the foregoing examples of dedicated hardware, for performing the techniques described in this disclosure. The security configuration service 125 and the authorization service may be implemented one a single computing device (e.g., physical server, virtual server, client computer, etc.) and their respective functions may be distributed across multiple computing devices (e.g., a collection of networked servers, cloud computing instance, etc.).

The authorization service 130 may provide authorization of presented (e.g., transmitted, received, input by a user, transmitted by a web server, etc.) identities (e.g., user account, computer account, etc.). The authorization service 130 may employ a variety of authorization techniques including, but not limited to, single sign-on, federation, kerberos, and x509 certificates. The authorization service 130 may employ a variety of encryption techniques such as secure sockets layer. The authorization service 130 may be communicatively coupled to a variety of security data bases containing security account information (e.g., user names, passwords, group membership, roles, etc.). The authorization service 130 may receive an authorization request and in response may issue a token including a set of security information (e.g., group membership, claims, rights, entitlements, etc.).

The security configuration service 125 may include a variety of security configurations that may define the actions that an entity (e.g., user, computer, etc.) may perform for an application feature such as feature 115 of application 110. For example, a user in a specific user group may be able to encrypt data sent between the client computer 105 and the application 110 using an encryption feature of the application 110. The security configurations may use a variety of permissions models such as role based permissions, user based permissions, user group based permissions, and computer group based permissions. Resources and features may have identifiers that allow them to be identified throughout the system. The identifiers may be implemented in a variety of ways including, for example, text strings, tokens, keys, etc. The security configurations may be organized by the security configuration service 125 using a resource identifier (e.g., identifying an application, etc.) and a feature identifier (e.g., identifying an encryption feature, etc.).

The security configurations may be read by a client or server computer before determining to allow access a feature of an application. For example, an application server (e.g., a webserver, database server, etc.) may read the security configuration when a user requests a feature of an application hosted by the application server. In some examples, an application may include a server component (e.g., running on an application server, etc.) and a client component (e.g., running on a user computer, handheld device, etc.) and the security configurations may be accessed by the client component when a user accesses the application using the client component.

The security configurations may be separated from the application. Thus, changes may be made to a security configuration without modifying application code. For example, the security configuration may be defined or updated by a person that may not have application programming skills (e.g., compliance personnel, security personnel, etc.). In some embodiments, a graphical user interface may be provided to aid in maintenance of security configurations as shown in FIGS. 3A & 3B. In addition, security configuration changes may be made in real-time. The changes may be effectuated instantaneously or the next time a person requests the feature of the application.

The application 110 may include a variety of features such as feature 115. Each feature may be a collection of programming code that may be responsible for performing one or more actions (e.g., data handling, calculations, etc.). Each feature may include a block of security configuration code such as security configuration code 120. The security configuration code 120 may specify a variety of configuration items such as a security configuration provider (e.g., security configuration service 125), a resource name, an application name, an authorization provider (e.g., authorization service 130), and an encryption provider. In some embodiments, the configuration information may be read using an application programming interface (API) call. The configuration items may be used to communicate with the security configuration service 125 and the authorization service 130 to determine a set of actions that an entity is allowed (or not allowed) to perform for the feature 115 of the application 110. Reference is made to the security configuration code 120 being included in the feature 115 however it will be readily understood that the security configuration code may be provided in a variety of configurations such as included in a block of global code included in the application and split between a global code block and the feature code block.

A request may be received (e.g., by an application server, an application, etc.) from an entity (e.g., user, computer, another application, etc.) for data (e.g., a calculation result, data retrieval, etc.) from the feature 115 of the software application 110. The request for data may include authorization information (e.g., username, password, etc.) of a sender of the request (e.g., user, computer, another application, etc.). It may be identified by a client component or application server (e.g., via API call, etc.) that the feature of the software application contains code containing a reference to a security configuration service (e.g., security configuration service 125). For example, an API call may be initiated by an application server hosting the application 110 upon receiving a request for the feature 115.

A security configuration may be determined for the feature of the software application by comparing (e.g., using semantic matching, etc.) a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. For example, an application server hosting the application 110 may send an API call to the security configuration service 125 including a resource identifier and a feature identifier and the security configuration service 125 may return a security configuration corresponding to the identifiers. The security configuration may provide access rules for the feature of the software application (e.g., read, write, perform certain calculations, retrieve certain data, encrypt data, etc.). In some examples, the security configuration may include a set of access entitlements (e.g., a set of access rights, etc.).

A response may be sent (e.g., by an application server, client component, etc.) to the sender of the request for data based on a comparison of the received authorization information to the determined security configuration. For example, a user's (e.g., sender of the request) account may be included in a security group “test users” and the security configuration information may allow users in the test users group to retrieve an unencrypted list of customer names. The unencrypted list of customer names may be sent to the user upon receiving security information indicating that the user's account is in the test users group. In an example, comparing the received authorization information to the security configuration may include comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration. In some examples, the set of access entitlements may include granular rules (e.g., individual rules for sub-features of the feature, etc.) to perform operations using the feature of the software application.

In some embodiments, it may be determined (e.g., by an application server, client component, etc.), using the security configuration, that a data item identified in the request for data should be encrypted before transmission. For example, a security configuration may be retrieved by an application server for the feature 115 of the application 110 that indicates that a data item should be encrypted before transmission to the user. The application server may interact with an encryption provider (e.g., local encryption processor, remote encryption service, etc.) to encrypt the data item before transmitting the data item to the user. The data item may be encrypted using an encryption algorithm. The encrypted data item may be included in the response to the sender. In some embodiments, it may be determined, using the security configuration, that a first data item identified in the request for data should be encrypted before transmission and a second data item identified in the request of data should be transmitted unencrypted. The first data item may be encrypted using an encryption algorithm. The encrypted first data item and the unencrypted second data item may be included in the response to the sender. In some embodiments, the software application may contain code containing a reference to an encryption processor (e.g., an encryption server, cryptographic processor, etc.). The data item may be encrypted by the encryption processor.

In some examples, statistics corresponding to the request for data may be gathered (e.g., frequency of request, average number of requests, geographic offset between the request and prior requests, number of data items requested, composition of requested data, etc.). A deviation may be determined between the statistics and a model of a standard request for data. For example, it may be determined that a model request contains a request for data type A, data type C, and data type Y and the current request is requesting data type A, data type C, and data type Z. Access to the feature of the application may be blocked based on the deviation. Thus, threats may be determined based on statistical deviations in real-time upon requesting access to an application feature.

In some embodiments, a security configuration graphical user interface (e.g., application window, web page, etc.) may be generated by an administration service (e.g., an administration server, administration application, etc.) for displayed on a client device (e.g., via a display device in a computing device, etc.). A set of inputs (e.g., pointer clicks, drag and drop, keystrokes, etc.) may be received via the security configuration user interface. The security configuration may be generated using the received set of inputs. For example, the security configuration may be generated based on a combination of keystrokes and mouse clicks. In some example, the generated security configuration may be stored in a database.

FIG. 2 illustrates a block diagram of an example of a system 200 for real-time feature level software security, according to an embodiment. The system 200 may provide similar functionality as described in FIG. 1. The system 200 may be executed on one or more computer systems (e.g., server computer, client computer, virtual server, cloud service, etc.) communicatively coupled to a network (e.g., wired network, wireless network, etc.) and may include a client 205, a security configuration service 210, an authorization engine 220, an encryption processor 225, one or more databases 215, and an administration service 230.

The client 205 (e.g., computer, smartphone tablet, web client, etc.) may be used by a user to execute software applications (e.g., the application 110 described in FIG. 1). The client 205 may be participating in a computer network (e.g., wired network, wireless network, etc.). A variety of configurations may be used in delivering an application for use by the client 205. An application executed by the client 205 may be installed locally or may be running remotely on a network connected application server. Upon execution of the application a request may be sent requesting access to a feature of the application.

The authorization engine 220 may be responsible for providing authorization services for a computer network. The authorization engine 220 may be communicatively coupled to a variety of security databases (e.g., user account database, directory services database, computer account database, etc.) and security applications (e.g., directory services, user permission manager, role management, user matrix manager, etc.) that the authorization engine 220 may use to verify the authorization of credentials provided by an entity (e.g., a user, computer, application, etc.) requesting access to a resource. Upon receiving a request for authorization, the authorization engine 220 may query the security databases and security applications to determine if the authorization information (e.g., account name, password, role, etc.) is authentic.

In some examples, the authorization engine 220 may be using single sign on (SSO), and a single set of credentials may be used to access a number of resources each having a unique set of individual credentials. The authorization engine 220 may maintain a matrix of credentials indexed to the single set of credentials. An entity may present the single set of credentials for authorization to a resource having a unique set of credentials and the authorization engine 220 may reference the matrix to verify that the unique set of credentials is indexed to the single set of credentials. Thus, the entity may present the single set of credentials for authorization to a variety of resources. In some examples, the authorization engine 220 may respond to an authorization request including the single set of credentials by generating a token including a set of issued claims (e.g., a claims-based identity, etc.). The set of issued claims may include a variety of authorization information (e.g., validated credentials, resource permissions, etc.). The token may be used to determine if the entity should be granted (or denied) access to a resource (e.g., a file share, an application, a database, an encryption service, etc.).

In some examples, the authorization engine 220 may be identified in a block of code of an application for providing authorization for features of the application. For example, an application may contain a block of code identifying the authorization engine 220 as an authorization provider and when a user requests a data item from a feature of the application a request may be sent to the authorization engine 220 requesting authorization of authorization information provided by the user.

The encryption processor 225 may be responsible for providing encryption services for a computer network. The encryption processor 225 may receive a request to encrypt data. The request may include a token generated by the authorization engine 220. The encryption processor 225 may fulfill the request to encrypt the data based on the token. Similarly, the encryption processor 225 may receive a request to decrypt data. The request may include a token generated by the authorization engine 220. The encryption engine 225 may fulfill the request to decrypt the data based on the token. In some examples, the encryption processor 225 may be identified in a block of code in a software application and encryption/decryption requests may be sent to the encryption processor 225 based on the identification in the block of code. For example, an application may contain a block of code identifying the encryption processor 225 as an encryption provider and a user may request a data item from a feature of the application. A request may be sent to the encryption processor 225 to encrypt the data item before it is sent to the user.

The security configuration service 210 may be responsible for maintaining security configurations for applications. The functionality of the security configuration service 210 may be similar to the security configuration service 125 as described in FIG. 1. The security configuration service 210 may be communicatively coupled to one or more databases 215 for storing security configurations. The security configurations may be indexed using a variety of indexing schemes, for example, a security configuration may be indexed by a resource identifier and a feature identifier. A security configuration may include one or more rules (e.g., permission level, data access permissions, etc.) defining access to a resource (e.g., an application, a feature of an application, a server, etc.). The security configuration may contain a set of entitlements based on a component of authorization information. For example, users in a test user group may be entitled to obtain unencrypted data from a feature of an application.

In some examples, an application may contain a block of code identifying the security configuration service 210 as a security configuration provider. Upon receiving a request for access to a feature of the application, the application (or an application server) may send a request to the security configuration service 210 including authorization information for the requester. A security configuration may be determined for the requested feature of the application by the security configuration service 210 using a resource identifier and a feature identifier included in the request. The authorization information may be compared to the security configuration to determine the appropriate access to the feature of the application. For example, the security configuration for a data retrieval feature of an application may entitle users with a role of manager to retrieve data from data sources A, B, and C and may entitle users with a user role to retrieve data from data source A. When a user with role user accessing the application may be allowed to use the data retrieval feature of the application with data retrieved from data source A and not data sources B and C.

The administration service 230 may include a graphical user interface for maintaining (e.g., creating, updating, etc.) security configurations. The administration service 230 may be provided as a stand-alone application or may be provided by another network component. In some examples, the security configuration service 210 and the administration service 210 may be implemented on the same (or separate) hardware. The administration service 230 may provide the ability to create or modify security configurations as described above. The security configurations may be stored in the one or more databases 215. A user may be able to select a security configuration to modify using a variety of user interface elements (e.g., textboxes, dropdown boxes, buttons, radio buttons, selection boxes, sliders, etc.) provided by the graphical user interface. Likewise, the user may be able to use a variety of user interface elements to create a new security configuration. Example graphical user interfaces are provided in FIGS. 3A and 3B.

The client 205, security configuration service 210, authorization engine 220, encryption processor 225, and administration service 230 may comprise one or more processors (e.g., hardware processor 802 described in FIG. 8, etc.) that execute software instructions, such as those used to define a software or computer program, stored in a computer-readable storage medium such as a memory device (e.g., a main memory 804 and a static memory 806 as described in FIG. 8, a Flash memory, random access memory (RAM), or any other type of volatile or non-volatile memory that stores instructions), or a storage device (e.g., a disk drive, or an optical drive). Alternatively, the client 205, security configuration service 210, authorization engine 220, encryption processor 225, and administration service 230 may comprise dedicated hardware, such as one or more integrated circuits, one or more Application Specific Integrated Circuits (ASICs), one or more Application Specific Special Processors (ASSPs), one or more Field Programmable Gate Arrays (FPGAs), or any combination of the foregoing examples of dedicated hardware, for performing the techniques described in this disclosure.

FIGS. 3A & 3B illustrate an example of a graphical user interface (GUI) for use in implementing real-time feature level software security, according to an embodiment. FIGS. 3A & 3B are an examples of a security configuration editor graphical user interface. FIGS. 3A & 3B may be used for creating and editing security configurations as described in FIGS. 1 & 2.

FIG. 3A illustrates a graphical user interface 305 for editing a Dev Claim Check condition for an Encrypt resource. The Dev Claim Check condition may allow access to the Encrypt resource if a claim presented (e.g., a claim issued by the authorization engine 220 as described in FIG. 2) has a value that matches DEV.ALLOWENCRYPT. If the value in the claim matches the value in the condition the user may be allowed to access the Encrypt resource (e.g., to encrypt content, etc.).

FIG. 3B illustrates a graphical user interface 310 for editing a Test User Check condition for a Decrypt resource. The Test User Check condition may allow access to the Decrypt resource if authorization information for a user indicates the user is a member of a group DOMAIN\TEST. In the user's account matches the condition the user may be allowed access to the Decrypt resource (e.g., the decrypt content, etc.).

As shown in FIGS. 3A & 3B and described in FIGS. 1 & 2, the security configurations may be indexed using a variety of indexing schemes. For example, the security configurations may be organized in a hierarchical structure with child features cascading from parent resources. It will be readily understood that a variety of organizational methods may be used and that a database containing the security configuration may be organized differently (or the same) as a graphical user interface used to manage the security configurations such as graphical user interfaces 305 & 310. In some examples, child features may inherit the security configuration of a parent feature. For example, if a new feature is added as a child of an existing feature, the new feature may inherit the security configuration of the existing feature. Thus, it may not be necessary to create a new security configuration for each new feature.

FIG. 4 illustrates flow diagram of an example of a method 400 for real-time feature level software security, according to an embodiment. The method 400 may provide security for a feature of a software application in real-time. The method 400 may provide similar functionality to that described in FIG. 1 and may employ a variety of components described in FIGS. 2 & 8.

At operation 405, a request may be received from a computing device (e.g., the client 205 as described in FIG. 2) for data from a feature (e.g., feature 115 as described in FIG. 1) of a software application (e.g., application 110 as described in FIG. 1). The request may include authorization information of a user of the computing device (e.g., a user of client 205).

At operation 410, it may be identified that a feature of the software application contains code containing a reference to a security configuration service (e.g., the security configuration code 120 as described in FIG. 1).

At operation 415, a security configuration may be determined for the feature of the software application (e.g., by the security configuration service 220 as described in FIG. 2) by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service (e.g., using semantic matching, etc.). The security configuration may provide rules for the feature of the software application (e.g., access permissions, rights, etc.).

In some embodiments, the security configuration may include a set of access entitlements (e.g., sets of permissions, etc.). In an example, the set of access entitlements may include granular rules to perform operations using the feature of the software application. For example, an encryption entitlement may allow a user to encrypt and decrypt data in data field A, but may not allow the user to encrypt and decrypt data in data field B. In some embodiments, the authorization information may include a set of user entitlements corresponding to the user of the computing device (e.g., a set of permissions, group memberships, etc. corresponding to the user). Comparing the received authorization information to the security configuration may include comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration. For example, a user may have an entitlement indicating that the user has an “Author” role. The access entitlements may indicate that the Author role has read, write, and delete access for a feature of an application. The user entitlement of Author role may be compared to the access entitlement for Author roles to grant the user read, write, and delete access to the feature.

At operation 420, a response (e.g., one or more data items requested, etc.) may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration. For example, the request may be seeking data items A, B, and C from the feature of the application and the comparison may indicate that the user is allowed access to data items A and B, but not data item C. The response may include data items A and B.

In some embodiments, statistics may be gathered corresponding to the request for data (e.g., frequency of request, average time of request, etc.). A deviation may be determined between the statistics and a model of a standard request for data (e.g., standard frequency of request, standard time of request, etc.). Access may be blocked (e.g., no data returned, error message returned, etc.) to the feature of the software application based on the deviation.

In some embodiments, a security configuration graphical user interface (e.g., security configuration editor as described in FIGS. 3A & 3B, etc.) may be displayed (e.g., by the administration service 230 as described in FIG. 2, etc.). A set of inputs (e.g., mouse clicks, keyboard entries, etc.) may be received via the security configuration graphical user interface. The security configuration may be generated using the received set of inputs.

In some embodiments, it may be determined using the security configuration that a data item identified in the request for data should be encrypted (e.g., by the encryption processor 225 as described in FIG. 2, etc.) before transmission (e.g., sent to the computing device, presented for display, etc.). The data item may be encrypted using an encryption algorithm (e.g., RSA, advanced encryption standard (AES), triple data encryption standard (DES), etc.). The encrypted data item may be included in the response sent to the computing device. In some embodiments, it may be determined using the security configuration that a first data item identified in the request for data should be encrypted before transmission and a second data item identified in the request for data shout be transmitted unencrypted. The first data item may be encrypted using an encryption algorithm. The encrypted first data item and the unencrypted second data item may be included in the response sent to the computing device.

The real-time feature level software security system, such as system 200, may be executed on one or more computer systems (e.g., server computer, client computer, virtual server, cloud service, etc.) communicatively coupled to a network (e.g., wired network, wireless network, etc.). As previously described, the real-time feature level software security system provides security in real-time. This includes the ability to update security configurations and permissions in real-time, as well as processing security requests in real-time. Based on the size of the service base and number of applications, a single server may become overloaded by requests and updates, with a declining ability to provide real-time functionality. The real-time feature level software security system may be distributed to multiple servers and employing load balancing techniques to provide the real-time functionality.

The distributed and load balanced real-time feature level software security system provides scalability, redundancy, caching, and an administrative layer. The multiple servers may be increased and decreased as desired to continually provide real-time security. For example, there may be times of heavy traffic, such as at the end of a quarter, where more security requests are performed than usual. Additional servers may be added at this time to provide continuous security services. Each server, or node, may have an identified set of services (both software application features and security) it may provide.

The multiple servers in the distributed and load balanced system provide redundancy such that when a server fails, the redundancy and replication of the servers may prevent downtime by rerouting requests to other servers. The redundancy and replication may occur between servers, or nodes, within a data center, or may be across multiple data centers. Additionally, automatic failover across geographic areas is provided by distributing data centers of servers, should a failure happen to a region (e.g. network connectivity loss, natural disaster).

The automatic failover may be engaged by environmental threats or a need for load balancing. For example, if a particular build with a first type of operating system is compromised in the release or enterprise environment, then a failover may occur to nodes within the security system which utilize a second type of operating system. The security system may seek out capable nodes during the failover, even if the nodes do not match the failing nodes (e.g., using nodes of a different operating system). A server may be removed if a determination is made that it has been compromised, thus initiating the automatic failover procedures.

The distributed and load balanced real-time feature level software security system may include a local data store for caching the security configurations, permissions, and other security data. This may provide for faster access to more commonly requested security configurations and reducing the need to make a database read for each request.

The administrative layer provides the ability to turn nodes on and off, route traffic, and distribute new services. The administrative layer provides control to manage the distributed systems for proper balancing and allocation of applications, features, and associated security configurations based on the demand and accessibility. This may include allocating multiple copies at multiple nodes to maintain the real-time responsiveness to the security requests.

FIG. 5 illustrates an example 500 of a data center for balancing security requests, in accordance with some embodiments. The client software 505 may be executing on a client device, such as client computer 105 (e.g., personal computer, portable device, smartphone, tablet, etc.). The client device executing the client software 505 may be a local client device or may be a remote computer on a network. The client software 505 may request a security configuration from a data center 510 to access features or feature data of the client software 505. The data center 510 may be multiple data centers. The multiple data centers may communicate the features available through each data center as well as the security configuration to access the features and feature data. Based on the distributed communication of features and security among the data centers, the client software 505 may request a feature and associated security configuration from a first data center, while the feature is not available at the first data center. The first center may provide the requested information, such as the availability of features and the associated security configurations, and then direct the client software 505 to a second data center that may fulfill the request.

Each data center 510 of the distributed and load balanced real-time feature level software security system may include multiple servers to further provide load balancing amongst the connections to each distributed system. Each server within the distributed system may execute different applications and security configuration requests for the associated applications. Multiple servers within data center 510 may execute the same applications and security configurations to provide redundancy and proper bandwidth for those applications and security configurations.

The data center 510 may include multiple servers, such as Server 1 through Server N. Each server, such as server 515, may include multiple ports for connections to the server. Each port may be designated as a connection point for different security configuration services, such as port 520 which is the third port and provides connectivity for Service C. The server may include an internal only designated port, such as port 525. The internal only designated port may be reserved for connections from the security provider, such as to provide updates to the security configurations and security data. The internal only designated port, such as port 525, may be reserved so that a port is always open for making such updates in real-time.

FIG. 6 illustrates a layered security request distribution and balancing system 600, in accordance with some embodiments. Clients 605, using a client devices such as client computer 105, may request features of an application and associated security configurations. The distributed and load balanced real-time feature level software security system may receive such a request and perform load-balancing and discovery 610. Load-balancing and discovery 610 may perform discovery to determine which data center of the distributed set of data centers 615, or nodes, is capable of providing the requested feature. The discovery may identify a set of data centers which may provide the requested feature.

As described in FIG. 1, each feature may be a collection of programming code that may be responsible for performing one or more actions (e.g., data handling, calculations, etc.). Each feature may include a block of security configuration code such as security configuration code 120. The security configuration code 120 may specify a variety of configuration items such as a security configuration provider (e.g., security configuration service 125), a resource name, an application name, an authorization provider (e.g., authorization service 130), and an encryption provider. The load balancing and discovery 610 may perform discovery of the available nodes to identify which have the programming code associated with the requested feature and the security configuration code associated with the feature. The discovery process may be directed at a specific data center (such as the closest geographically located data center) to discover an available server within the data center for providing the feature and security configuration. Based on load and availability, the discovery process may include multiple data centers from the distributed set of data centers 615. The discovery process may use a round robin technique to find an active discovery node.

The identified set of available nodes may be further analyzed to determine the current or anticipated request load for each node. The analysis may identify more or less load heavy nodes and direct the current feature request to a less heavily loaded nodes (or a different data center) to load balance. Load balancing between the nodes may be performed through the use of a load threshold. A load threshold may be determined for all nodes or determined individually for each node, based on the capabilities of each node (e.g., processor speed, network bandwidth). If the load of a particular node is at or exceeds the designated load threshold for the node, then the request may be directed to a different node which has the capability to provide the feature and does not have a load exceeding the node's respective load threshold.

Based on the load balancing of the nodes and data centers 615, and the discovery of which nodes and data centers 615 include the requested programming code and security configuration code for the feature is selected for providing the requested feature. Each node may include a synchronized list of services which are available across nodes and data centers.

Data related to the application features and the security configurations may be stored in a database or data base clusters, such as primary DB cluster 625 and secondary DB cluster 630. A local store 620 may be employed for in-memory caching. The local store 620 may cache more common or frequently requested feature data and security configurations to reduce the number of database lookup requests made to the databases. When a node of the distributed set of data centers 615 receives a feature request and identifies an associated security configuration for the feature request, the node may perform a data retrieval. The data center may first attempt the data retrieval from the local store 620 to reduce the data retrieval time required by performing a database lookup.

The layered security request distribution and balancing system 600 may include an administrative layer 635. The administrative layer 635 may include functionality to configure and control each of the nodes, each of the data centers, and the local store. This may include regulating the traffic to the nodes and data centers and a managing the features and applications available at each of the nodes and each of the data centers, such as how many servers at each data center provide the applications and features. The administrative layer 635 may control nodes and data centers 615 by turning the nodes on and off based on traffic needs. The administrative layer 635 may control the data stored at the local data store 620. This may include identifying which data is used the most, clearing data which is obsolete, and pre-loading data which is anticipated to be in high demand. The administrative layer 635 may control the release of software builds and updates for the applications and features at the data centers. The administrative layer 635 may distribute new services to the nodes and data centers 615.

FIG. 7 illustrates flow diagram of an example of a method 700 for real-time feature level software security balancing, according to various embodiments. The method 700 may provide security for a feature of a software application in real-time. The method 700 may provide similar functionality to that described in FIG. 6 and may employ a variety of components described in FIG. 8.

At operation 705, a request may be received from a computing device (e.g., the client 605 as described in FIG. 6) for data from a feature (e.g., feature 115 as described in FIG. 1) of a software application (e.g., application 110 as described in FIG. 1). The request may include authorization information of a user of the computing device (e.g., a user of client 605). The authorization information may include a set of user entitlements corresponding to the user of the computing device (e.g., the client 605 as described in FIG. 6).

At operation 710, it may be that a set of nodes is identified that provides the feature of the software application and a security configuration service associated with feature of the software application. The set of nodes may be geographically distributed.

At operation 715, a node may be selected from the set of nodes. An operation may be performed to determine a processing bandwidth load for each node in the set of nodes. The operation to select a node from the set of nodes may be based on load balancing the processing bandwidth load of the set of nodes. The load balancing may have an operation to identify nodes from the set of nodes using the respective processing bandwidth load for each node by determining the processing bandwidth load of the node does not exceed a bandwidth threshold. Based on the processing bandwidth of each node and the load balancing, an operation may be performed to enable an additional node. Based on the processing bandwidth of each node and the load balancing, an operation may be performed to disable a node of the set of nodes.

At operation 720, data may be retrieved from a data store local to the node. The data retrieved may be data from the feature and data related to the security configuration service. An operation may be performed, when the data store does not include the data from the feature and data related to the security configuration service, to retrieve, from a database, the data from the feature and data related to the security configuration service.

At operation 725, a security authorization may be performed using the security configurations service, the data related to the security configuration service, and the authorization information. An operation may be performed to compare a user entitlement of the set of user entitlements with an access entitlement included in the security configuration. At operation 730, the requested data from the feature of the software application may be sent, based on the security authorization, to the computing device.

FIG. 8 illustrates a block diagram of an example machine 800 upon which any one or more of the techniques (e.g., methodologies) discussed herein may perform. In alternative embodiments, the machine 800 may operate as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine 800 may operate in the capacity of a server machine, a client machine, or both in server-client network environments. In an example, the machine 800 may act as a peer machine in peer-to-peer (P2P) (or other distributed) network environment. The machine 800 may be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a mobile telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein, such as cloud computing, software as a service (SaaS), other computer cluster configurations.

Examples, as described herein, may include, or may operate by, logic or a number of components, or mechanisms. Circuit sets are a collection of circuits implemented in tangible entities that include hardware (e.g., simple circuits, gates, logic, etc.). Circuit set membership may be flexible over time and underlying hardware variability. Circuit sets include members that may, alone or in combination, perform specified operations when operating. In an example, hardware of the circuit set may be immutably designed to carry out a specific operation (e.g., hardwired). In an example, the hardware of the circuit set may include variably connected physical components (e.g., execution units, transistors, simple circuits, etc.) including a computer readable medium physically modified (e.g., magnetically, electrically, moveable placement of invariant massed particles, etc.) to encode instructions of the specific operation. In connecting the physical components, the underlying electrical properties of a hardware constituent are changed, for example, from an insulator to a conductor or vice versa. The instructions enable embedded hardware (e.g., the execution units or a loading mechanism) to create members of the circuit set in hardware via the variable connections to carry out portions of the specific operation when in operation. Accordingly, the computer readable medium is communicatively coupled to the other components of the circuit set member when the device is operating. In an example, any of the physical components may be used in more than one member of more than one circuit set. For example, under operation, execution units may be used in a first circuit of a first circuit set at one point in time and reused by a second circuit in the first circuit set, or by a third circuit in a second circuit set at a different time.

Machine (e.g., computer system) 800 may include a hardware processor 802 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a hardware processor core, or any combination thereof), a main memory 804 and a static memory 806, some or all of which may communicate with each other via an interlink (e.g., bus) 808. The machine 800 may further include a display unit 810, an alphanumeric input device 812 (e.g., a keyboard), and a user interface (UI) navigation device 814 (e.g., a mouse). In an example, the display unit 810, input device 812 and UI navigation device 814 may be a touch screen display. The machine 800 may additionally include a storage device (e.g., drive unit) 816, a signal generation device 818 (e.g., a speaker), a network interface device 820, and one or more sensors 821, such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor. The machine 800 may include an output controller 828, such as a serial (e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared (IR), near field communication (NFC), etc.) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).

The storage device 816 may include a machine readable medium 822 on which is stored one or more sets of data structures or instructions 824 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein. The instructions 824 may also reside, completely or at least partially, within the main memory 804, within static memory 806, or within the hardware processor 802 during execution thereof by the machine 800. In an example, one or any combination of the hardware processor 802, the main memory 804, the static memory 806, or the storage device 816 may constitute machine readable media.

While the machine readable medium 822 is illustrated as a single medium, the term “machine readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) configured to store the one or more instructions 824.

The term “machine readable medium” may include any medium that is capable of storing, encoding, or carrying instructions for execution by the machine 800 and that cause the machine 800 to perform any one or more of the techniques of the present disclosure, or that is capable of storing, encoding or carrying data structures used by or associated with such instructions. Non-limiting machine readable medium examples may include solid-state memories, and optical and magnetic media. In an example, a massed machine readable medium comprises a machine readable medium with a plurality of particles having invariant (e.g., rest) mass. Accordingly, massed machine-readable media are not transitory propagating signals. Specific examples of massed machine readable media may include: non-volatile memory, such as semiconductor memory devices (e.g., Electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM)) and flash memory devices; magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.

The instructions 824 may further be transmitted or received over a communications network 826 using a transmission medium via the network interface device 820 utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.). Example communication networks may include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, and wireless data networks (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards known as Wi-Fi®, IEEE 802.16 family of standards known as WiMax®), IEEE 802.15.4 family of standards, peer-to-peer (P2P) networks, among others. In an example, the network interface device 820 may include one or more physical jacks (e.g., Ethernet, coaxial, or phone jacks) or one or more antennas to connect to the communications network 826. In an example, the network interface device 820 may include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques. The term “transmission medium” shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine 800, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.

Example 1 is a system for providing security for a feature of a software application in real-time, the system comprising: at least one processor; and a memory including instructions that, when executed by the at least one processor, cause the at least one processor to: receive a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identify a set of nodes that provide the feature of the software application and a security configuration service associated with feature of the software application; select a node from the set of nodes; retrieve, from a data store local to the node, the data from the feature and data related to the security configuration service; perform a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and send, based on the security authorization, the requested data from the feature of the software application to the computing device.

In Example 2, the subject matter of Example 1 includes, wherein the instructions further cause the at least one processor to: retrieve, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.

In Example 3, the subject matter of Examples 1-2 includes, wherein the set of nodes may be geographically distributed.

In Example 4, the subject matter of Example 3 includes, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.

In Example 5, the subject matter of Examples 1-4 includes, wherein the instructions further cause the at least one processor to: determine a processing bandwidth load for each node in the set of nodes; and select the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.

In Example 6, the subject matter of Example 5 includes, wherein the instructions further cause the at least one processor to: identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.

In Example 7, the subject matter of Examples 5-6 includes, wherein the instructions further cause the at least one processor to: enable an additional node based on the processing bandwidth load for each node in the set of nodes.

In Example 8, the subject matter of Examples 5-7 includes, wherein the instructions further cause the at least one processor to: disable a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes.

Example 9 is at least one computer readable medium including instructions for providing security for a feature of a software application in real-time that when executed by at least one processor, cause the at least one processor to: receive a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identify a set of nodes that provide the feature of the software application and a security configuration service associated with feature of the software application; select a node from the set of nodes; retrieve, from a data store local to the node, the data from the feature and data related to the security configuration service; perform a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and send, based on the security authorization, the requested data from the feature of the software application to the computing device.

In Example 10, the subject matter of Example 9 includes, instructions to: retrieve, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.

In Example 11, the subject matter of Examples 9-10 includes, wherein the set of nodes may be geographically distributed.

In Example 12, the subject matter of Example 11 includes, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.

In Example 13, the subject matter of Examples 9-12 includes, instructions to: determine a processing bandwidth load for each node in the set of nodes; and select the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.

In Example 14, the subject matter of Example 13 includes, instructions to: identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.

In Example 15, the subject matter of Examples 13-14 includes, instructions to: enable an additional node based on the processing bandwidth load for each node in the set of nodes.

In Example 16, the subject matter of Examples 13-15 includes, instructions to: disable a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes.

Example 17 is a method for providing security for a feature of a software application in real-time, comprising: receiving a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identifying a set of nodes that provide the feature of the software application and a security configuration service associated with feature of the software application; selecting a node from the set of nodes; retrieving, from a data store local to the node, the data from the feature and data related to the security configuration service; performing a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and sending, based on the security authorization, the requested data from the feature of the software application to the computing device.

In Example 18, the subject matter of Example 17 includes, retrieving, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.

In Example 19, the subject matter of Examples 17-18 includes, wherein the set of nodes may be geographically distributed.

In Example 20, the subject matter of Example 19 includes, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.

In Example 21, the subject matter of Examples 17-20 includes, determining a processing bandwidth load for each node in the set of nodes; and selecting the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.

In Example 22, the subject matter of Example 21 includes, identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.

In Example 23, the subject matter of Examples 21-22 includes, enabling an additional node based on the processing bandwidth load for each node in the set of nodes.

In Example 24, the subject matter of Examples 21-23 includes, disabling a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes.

Example 25 is at least one machine-readable medium including instructions that, when executed by processing circuitry, cause the processing circuitry to perform operations to implement of any of Examples 1-24.

Example 26 is an apparatus comprising means to implement of any of Examples 1-24.

Example 27 is a system to implement of any of Examples 1-24.

Example 28 is a method to implement of any of Examples 1-24.

The above detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show, by way of illustration, specific embodiments that may be practiced. These embodiments are also referred to herein as “examples.” Such examples may include elements in addition to those shown or described. However, the present inventors also contemplate examples in which only those elements shown or described are provided. Moreover, the present inventors also contemplate examples using any combination or permutation of those elements shown or described (or one or more aspects thereof), either with respect to a particular example (or one or more aspects thereof), or with respect to other examples (or one or more aspects thereof) shown or described herein.

All publications, patents, and patent documents referred to in this document are incorporated by reference herein in their entirety, as though individually incorporated by reference. In the event of inconsistent usages between this document and those documents so incorporated by reference, the usage in the incorporated reference(s) should be considered supplementary to that of this document; for irreconcilable inconsistencies, the usage in this document controls.

In this document, the terms “a” or “an” are used, as is common in patent documents, to include one or more than one, independent of any other instances or usages of “at least one” or “one or more.” In this document, the term “or” is used to refer to a nonexclusive or, such that “A or B” includes “A but not B,” “B but not A,” and “A and B,” unless otherwise indicated. In the appended claims, the terms “including” and “in which” are used as the plain-English equivalents of the respective terms “comprising” and “wherein.” Also, in the following claims, the terms “including” and “comprising” are open-ended, that is, a system, device, article, or process that includes elements in addition to those listed after such a term in a claim are still deemed to fall within the scope of that claim. Moreover, in the following claims, the terms “first,” “second,” and “third,” etc. are used merely as labels, and are not intended to impose numerical requirements on their objects.

The above description is intended to be illustrative, and not restrictive. For example, the above-described examples (or one or more aspects thereof) may be used in combination with each other. Other embodiments may be used, such as by one of ordinary skill in the art upon reviewing the above description. The Abstract is to allow the reader to quickly ascertain the nature of the technical disclosure and is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. Also, in the above Detailed Description, various features may be grouped together to streamline the disclosure. This should not be interpreted as intending that an unclaimed disclosed feature is essential to any claim. Rather, inventive subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment. The scope of the embodiments should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled. 

What is claimed is:
 1. A system for providing security for a feature of a software application in real-time, the system comprising: at least one processor; and a memory including instructions that, when executed by the at least one processor, cause the at least one processor to: receive a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identify a set of nodes that provide the feature of the software application and that provide a security configuration service associated with the feature of the software application; select a node from the set of nodes; retrieve, from a data store local to the node, the data from the feature and data related to the security configuration service; determine a security configuration for the feature of the software application, including comparing a set of identifiers of the feature to a security configuration of the security configuration service to determine access rules for portions of code associated with functions of the feature; perform a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and send, based on the security authorization, the requested data from functions of the feature of the software application to the computing device.
 2. The system of claim 1, wherein the instructions further cause the at least one processor to: retrieve, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.
 3. The system of claim 1, wherein the set of nodes may be geographically distributed.
 4. The system of claim 3, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.
 5. The system of claim 1, wherein the instructions further cause the at least one processor to: determine a processing bandwidth load for each node in the set of nodes; and select the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.
 6. The system of claim 5, wherein the instructions further cause the at least one processor to: identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.
 7. The system of claim 5, wherein the instructions further cause the at least one processor to: enable an additional node based on the processing bandwidth load for each node in the set of nodes.
 8. The system of claim 5, wherein the instructions further cause the at least one processor to: disable a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes.
 9. At least one computer readable medium including instructions for providing security for a feature of a software application in real-time that when executed by at least one processor, cause the at least one processor to: receive a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identify a set of nodes that provide the feature of the software application and that provide a security configuration service associated with the feature of the software application; select a node from the set of nodes; retrieve, from a data store local to the node, the data from the feature and data related to the security configuration service; determine a security configuration for the feature of the software application, including comparing a set of identifiers of the feature to a security configuration of the security configuration service to determine access rules for portions of code associated with functions of the feature; perform a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and send, based on the security authorization, the requested data from functions of the feature of the software application to the computing device.
 10. The at least one computer readable medium of claim 9, further comprising instructions to: retrieve, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.
 11. The at least one computer readable medium of claim 9, wherein the set of nodes may be geographically distributed.
 12. The at least one computer readable medium of claim 11, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.
 13. The at least one computer readable medium of claim 9, further comprising instructions to: determine a processing bandwidth load for each node in the set of nodes; and select the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.
 14. The at least one computer readable medium of claim 13, further comprising instructions to: identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.
 15. The at least one computer readable medium of claim 13, further comprising instructions to: enable an additional node based on the processing bandwidth load for each node in the set of nodes.
 16. The at least one computer readable medium of claim 13, further comprising instructions to: disable a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes.
 17. A method for providing security for a feature of a software application in real-time, comprising: receiving a request, from a computing device, for data from the feature of the software application, the request for data including authorization information of a user of the computing device; identifying a set of nodes that provide the feature of the software application and that provide a security configuration service associated with the feature of the software application; selecting a node from the set of nodes; retrieving, from a data store local to the node, the data from the feature and data related to the security configuration service; determining a security configuration for the feature of the software application, including comparing a set of identifiers of the feature to a security configuration of the security configuration service to determine access rules for portions of code associated with functions of the feature; performing a security authorization using the security configurations service, the data related to the security configuration service, and the authorization information; and sending, based on the security authorization, the requested data from functions of the feature of the software application to the computing device.
 18. The method of claim 17, further comprising: retrieving, from a database, the data from the feature and data related to the security configuration service, wherein the data store does not include the data from the feature and data related to the security configuration service.
 19. The method of claim 17, wherein the set of nodes may be geographically distributed.
 20. The method of claim 19, wherein the authorization information includes a set of user entitlements corresponding to the user of the computing device; and wherein the security authorization further comprises comparing the received authorization information to the security configuration includes comparing a user entitlement of the set of user entitlements with an access entitlement included in the security configuration.
 21. The method of claim 17, further comprising: determining a processing bandwidth load for each node in the set of nodes; and selecting the node from the set of nodes based on load balancing the processing bandwidth load of the set of nodes.
 22. The method of claim 21, further comprising: identify nodes from the set of nodes, wherein the respective processing bandwidth load does not exceed a bandwidth threshold.
 23. The method of claim 21, further comprising: enabling an additional node based on the processing bandwidth load for each node in the set of nodes.
 24. The method of claim 21, further comprising: disabling a node of the set of nodes based on the processing bandwidth load for each node in the set of nodes. 